Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Tidal Wave of Java Flaw Exploitation

Posted by Soulskill on from the surf's-up dept.

tsu doh nimh writes "Microsoft warned today that it is witnessing a huge spike in the exploitation of Java vulnerabilities on the Windows platform, and that attacks on Java security holes now far outpace the exploitation of Adobe PDF bugs. The Microsoft announcement cites research by blogger Brian Krebs, who has been warning for several months that Java vulnerabilities are showing up as the top moneymakers for those peddling commercial crimeware exploitation kits, such as Eleonore, Crimepack and SEO Sploit Pack." Several days ago, Oracle released a patch that fixed 29 Java security flaws.

7 of 238 comments (clear)

  1. Re:How? by adisakp · · Score: 5, Informative

    CVE Attacks Computers Description

    CVE-2008-5353 3,560,669 1,196,480 A deserialization issue in vulnerable versions of JRE (Java Runtime Environment) allows remote code execution through Java-enabled browsers on multiple platforms, such as Microsoft Windows, Linux, and Apple Mac OS X.

    CVE-2009-3867 2,638,311 1,119,191 Another remote code execution, multi-platform issue caused by improper parsing of long file:// URL arguments.

    CVE-2010-0094 213,502 173,123 Another deserialization issue, very similar to CVE-2008-5353.

  2. Re:How? by Florian+Weimer · · Score: 5, Informative

    Propagation generally happens via applets, loaded through IFRAMEs or Javascript-based redirects. Actual payloads are not yet OS-agnostic (even though the exploits themselves are).

  3. Patch bloat by edxwelch · · Score: 5, Interesting

    What's annoying is there is no real "patch" as such. You have to install the entire 77mb package from scratch and it installs crap like the yahoo toolbar by default.

  4. This article speaks the truth by gman003 · · Score: 5, Funny

    I'm still in the process of repairing my Windows system after a Java-transmitted virus. A hacked website was sending out malware to visitors via Java applet, and the only solution I found was a format/reinstall. Since then, I've disabled Java on all my machines; the only things I've seen it used for are crappy browser games and malware.

  5. Re:Patches have been available for a long time by Anonymous Coward · · Score: 5, Funny

    I've run out of space in my head for all the different tools I need to seperately manage updates for.

    Sounds like you need a computer.

  6. Re:How? by Bill_the_Engineer · · Score: 5, Informative

    After further research. It appears that Oracle/Sun latest version of Java addressed these issues for the Windows and Linux platforms. This looks like a case of people not updating their Java JRE.

    --
    These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...
  7. Re:Patches have been available for a long time by Ant+P. · · Score: 5, Funny

    I guess Windows isn't ready for the desktop.